BlazeDS Java Object Deserialization Exploit Walkthrough

During a recent internal network penetration test, we saw indications that an Adobe ColdFusion host was vulnerable to the BlazeDS Java Object Deserialization exploit. After performing some research, I couldn’t find a single resource with the information I needed to exploit this issue. In this post I’ll walk through exactly how to exploit the BlazeDS Java Deserialization vulnerability, so the next time you come across it in your environment, you can more easily show the impact to your engineers.

Indication

Here is the output from Nessus indicating the remote host is vulnerable:

Building the second stage wasn’t inherently difficult, I just needed to understand what was required for JRMPListener. The exploit details state “You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.”

Ysoserial “ is a collection of utilities and property-oriented programming ‘gadget chains’ discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects.”

I found additional resources online that discussed weaponization of Nessus plugins in this article: https://depthsecurity.com/blog/weaponization-of-nessus-plugins-1. It’s helpful to see what Nessus is doing to determine that the remote host is vulnerable to the exploit. However I was more interested in the JRMPListener setup command.